Money Control in Belgium – your bank account speaks louder than words, and the tax authorities are listening
In late 2025, a controversial Belgian legislative proposal to combat tax fraud has reignited fundamental debates on privacy, algorithmic governance, and the rule of law. The proposal was pejoratively dubbed Money Control by its critics, and even lead to a fairly unique filibuster in the Belgian Parliament. At its core, the draft law envisages shifting from traditional, suspicion-based fiscal inquiries to proactive scanning of financial data using algorithms, raising acute concerns under EU data protection and fundamental rights frameworks.
Context: the Money Control vision in a nutshell
Under current Belgian law, tax authorities have a multitude of sources at their disposal to identify potential tax fraud cases. One of these is the Central Contact Point (Centraal Aanspreekpunt or Point de contact central - CCP), a database maintained by the National Bank of Belgium containing financial account information such as bank account holders, account balances, and related financial contract data. The tax authorities may however traditionally only access this when there are specific and clear indications of fraud.
The contested amendment, embedded in a much broader piece of reform legislation, would significantly expand this power. Among other points, it proposes the integration of CCP data into the Ministry of Finance’s data warehouse, and provides a mandate for the AI-assisted datamining of these datasets with the explicit objective of detecting anomalies and risk patterns across the entire population, absent any prior suspicion of wrongdoing. The envisioned system would continuously process financial data of all taxpayers, including bank accounts, securities and potentially crypto accounts, in order to generate risk profiles that can trigger further scrutiny.
Proponents reasonably argue that enhanced data analytics and AI integration will improve the fight against increasingly sophisticated tax evasion schemes. Opponents predictably counter that the proposal effectively treats every citizen as a potential suspect and undermines the very premise of targeted fiscal enforcement.
Data protection compliance – fundamental criticisms
The Belgian Data Protection Authority issued a critical and detailed opinion on the proposal (Advice nr. 36/2025, available in Dutch and in French) in May 2025. While the Authority supported, in principle, targeted access to the CCP when already existing indications of tax fraud justify such access, it expressed strong reservations about the planned integration of CCP data into a ministerial data warehouse for generalised datamining, matching and profiling, highlighting that this would constitute a severe interference with data protection rights. The DPA’s analysis highlights notably the following legal failings:
Necessity and proportionality: The draft law does not adequately justify why a shift from reactive, suspicion-based access to a proactive, data-first regime is strictly necessary in a democratic society. Without robust justification, the interference bears little resemblance to legitimate, proportionate processing.
Finality and purpose limitation: The proposed broad integration of CCP data into the data warehouse for profiling and datamining collides with the reactive purpose for which the CCP was originally authorised. It is a clear example of scope creep, and the DPA warns against conflicting processing purposes, undermining the finality principle that underpins sound data protection governance.
Automated individual decision-making: The use of AI to generate risk profiles with potential real-world consequences triggers certain mandatory protections under the GDPR. The Authority expressed its concern over the lack of detail regarding the scope of human oversight, the risk models, and criteria for subsequent intervention.
Duplication of authentic sources and data minimisation: The plan to replicate CCP data into a separate data warehouse raises concerns with respect to data minimisation and the once-only principle, which safeguards against unnecessary duplication and expanded use of personal data. Duplicating a sensitive database also increases the risk of incidents.
Globally, the DPA considers that the draft legislation fails to meet the stringent thresholds of necessity and proportionality under EU data protection law for the envisaged mass processing of financial data, and the linked profiling of tax payers.
AI inspectors watching your bank accounts?
One of the pillars of the proposal is the algorithmic datamining of CCP data. Following pseudonymisation of the original (directly identifiable) CCP data and transfer to the Ministry’s data warehouse, algorithms would be used to determine risk scores and risk profiles of the pseudonymised account holders, to identify potential fraud situations (e.g. on the basis of suspicious bank transfers or offshore account holdings), and to identify priority targets for further investigation. In other words, algorithms would assist in singling out persons to be audited.
From an AI governance perspective, the proposal likely collides with evolving EU norms on trustworthy and transparent AI. Although the European AI Act is not yet fully in force for all high-risk scenarios, its principles underscore the importance of risk management, human oversight and transparency in systems that materially affect individuals’ rights and freedoms. It is not clear whether or how the Belgian law would clear that bar.
Deploying AI models on sensitive financial data without clear specification of the models, transparency of logic or explainable outputs amplifies the risk of opaque profiling and disparate impact. Historical precedents such as the Dutch childcare benefits scandal, where automated risk profiling led to wrongful allegations against thousands of families, illustrate how algorithmic systems can embed biases and produce hallucinations with grave consequences.
Moreover, without robust safeguards including documented impact assessments, human-in-the-loop mechanisms and meaningful notice to data subjects, such a system risks contravening fundamental EU values on fairness and accountability.
Further challenges ahead
Despite these doubts, the proposal was adopted in December 2025. Procedures before the Belgian Constitutional Court seem inevitable however. In that case, the Court will undoubtedly need to take the recent Ferrieri decision of the European Court of Human Rights under consideration, which looked critically at the requirements for tax authorities to access bank account data. That precedent may not bode well for the future of Money Control.
More generally though, Belgium’s experience serves as a cautionary tale, in several ways. Firstly, it shows the dangers of scope creep, where the creation of an initially fairly well defined database with a clearly delineated mission statement also created a very easy target for abuse: once the data is there, it’s very tempting to just take the next step and use it for much, much more.
Secondly, it illustrates that technology indeed may enhance enforcement efficiently, but that it should be tethered to legal safeguards that protect individuals’ rights and maintain public trust. Without scrupulous calibration, even well-intended systems can slide toward Orwellian outcomes.
Article provided by INPLP member: Hans Graux (Time Lex, Belgium)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)